[jira] [Updated] (HADOOP-15457) Add Security-Related HTTP Response Header in WEBUIs.

[Siyao Meng (Jira)]

     [ 
https://issues.apache.org/jira/browse/HADOOP-15457?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Siyao Meng updated HADOOP-15457:
--------------------------------
    Description: 
As of today, YARN web-ui lacks certain security related http response headers. 
We are planning to add few default ones and also add support for headers to be 
able to get added via xml config. Planning to make the below two as default.
 * X-XSS-Protection: 1; mode=block
 * X-Content-Type-Options: nosniff

 

Support for headers via config properties in core-site.xml will be along the 
below lines
{code:java}
<property>
    <name>hadoop.http.header.Strict-Transport-Security</name>
    <value>valHSTSFromXML</value>
</property>{code}
In the above example, valHSTSFromXML is an example value, this should be 
[configured|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]
 according to the security requirements.

With this Jira, users can set required headers by prefixing HTTP header with 
hadoop.http.header. and configure with the required value in their 
core-site.xml.

Example:

{code:java}
<property>
  <name>hadoop.http.header.http-header</name>
  <value>http-header-value</value>
</property>
{code}
 
A regex matcher will lift these properties and add into the response header 
when Jetty prepares the response.

  was:
As of today, YARN web-ui lacks certain security related http response headers. 
We are planning to add few default ones and also add support for headers to be 
able to get added via xml config. Planning to make the below two as default.
 * X-XSS-Protection: 1; mode=block
 * X-Content-Type-Options: nosniff

 

Support for headers via config properties in core-site.xml will be along the 
below lines
{code:java}
<property>
     <name>hadoop.http.header.Strict_Transport_Security</name>
     <value>valHSTSFromXML</value>
 </property>{code}
 In the above example, valHSTSFromXML is an example value, this should be 
configured according to the security requirements.

With this Jira, users can set required headers by prefixing HTTP header with 
hadoop.http.header. and configure with the required value in their 
core-site.xml.

Example:

 
{code:java}
<property>
 <name>hadoop.http.header.http-header>
 <value>http-header-value</value>
</property>
{code}
 

A regex matcher will lift these properties and add into the response header 
when Jetty prepares the response.


> Add Security-Related HTTP Response Header in WEBUIs.
> ----------------------------------------------------
>
>                 Key: HADOOP-15457
>                 URL: https://issues.apache.org/jira/browse/HADOOP-15457
>             Project: Hadoop Common
>          Issue Type: Improvement
>            Reporter: Kanwaljeet Sachdev
>            Assignee: Kanwaljeet Sachdev
>            Priority: Major
>              Labels: security
>             Fix For: 3.2.0
>
>         Attachments: HADOOP-15457.001.patch, HADOOP-15457.002.patch, 
> HADOOP-15457.003.patch, HADOOP-15457.004.patch, HADOOP-15457.005.patch, 
> YARN-8198.001.patch, YARN-8198.002.patch, YARN-8198.003.patch, 
> YARN-8198.004.patch, YARN-8198.005.patch
>
>
> As of today, YARN web-ui lacks certain security related http response 
> headers. We are planning to add few default ones and also add support for 
> headers to be able to get added via xml config. Planning to make the below 
> two as default.
>  * X-XSS-Protection: 1; mode=block
>  * X-Content-Type-Options: nosniff
>  
> Support for headers via config properties in core-site.xml will be along the 
> below lines
> {code:java}
> <property>
>     <name>hadoop.http.header.Strict-Transport-Security</name>
>     <value>valHSTSFromXML</value>
> </property>{code}
> In the above example, valHSTSFromXML is an example value, this should be 
> [configured|https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security]
>  according to the security requirements.
> With this Jira, users can set required headers by prefixing HTTP header with 
> hadoop.http.header. and configure with the required value in their 
> core-site.xml.
> Example:
> {code:java}
> <property>
>   <name>hadoop.http.header.http-header</name>
>   <value>http-header-value</value>
> </property>
> {code}
>  
> A regex matcher will lift these properties and add into the response header 
> when Jetty prepares the response.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: common-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: common-issues-h...@hadoop.apache.org